IOTW: US Patent and Trademark Office suffers years-long data leak

The US Patent and Trademark Office (USPTO) has announced that it has suffered a data leak that exposed the data of thousands of trademark applicants for the past three years.

The leak, which was active from February 2020 to March 2023, exposed the private addresses of more than 61,000 US citizens who applied for a trademark, around three percent of all those who filed for a trademark during this time period. This is due to the fact that, to prevent fraudulent applications, USPTO requires trademark applicants to provide a domicile address when they file for a trademark. This is most commonly a home address.

The leak was caused by an error in one of USPTO’s application programming interfaces (APIs), a piece of software that allows two systems to communicate with one another. In this case, the API allowed apps used by agency staff and those filing for patents (referred to as filers) to access it system which displays the status of trademark applications.  

The addresses were also mistakenly published in large datasets USPTO shared online to aid in progressing economic and academic research. 
In a statement to technology news site TechCruch, USPTO spokesperson Paul

Fucito said that the organization attempted to mask the domicile addresses in 2020 as part of USPTOs efforts to “secure the data that the public accesses directly and frequently”. In doing so, however, the organization “ailed to locate some of the more technical exit points and properly mask the data exported from those points”.

In a notice about the breach sent to affected trademark applicants, USPTO said that when the issue was discovered, the organization “blocked access to all USPTO non-critical APIs and took down the impacted bulk data products until a permanent fix could be implemented”. The organization also said it did not believe the data had been misused by malicious actors.

USPTO apologized for the error and said it would “do better to prevent such an incident from happening again, while also preserving our ability to crack down on the historic amount of filing fraud we’re seeing originate overseas”.

The vulnerabilities were corrected and the addresses properly masked on April 1.

Cloud misconfiguration exposes the data of US senators

In March 2023, DC Health Link, the provider of health insurance for those in the US Government, suffered a data breach that affected more than 50,000 people. 

On March 6, 2023, an unauthorized party gained access to the data of 56,415 current and past customers of DC Health Link, including 585 staff members and 17 members of the US Congress.

The US House of Representatives explained via a data breach notice to affected parties that the data breach had “potentially expose[d] the Personal Identifiable Information (PII) of thousands of enrollees”.

Once the company became aware of it, DC Health Link reported the cyber attack to both the FBI and Google-owned cyber security firm Madinat. The health insurance company also notified six other federal agencies whose employees also used DC Health Link for their health insurance.  

Mila Kofman, executive director of DC Health Link, revealed that the data breach was caused by a cloud server misconfiguration via documents submitted ahead of her testimony before the House Oversight Committee on April 19.

Kofman said that the cloud misconfiguration was caused by human error rather than malicious intentions. 

Read more about the top cyber security incidents in June 2023 here.